Added detail for certificate rotation feature

Author: tonbut

modules/ROOT/pages/security/ssl-framework.adoc

@@ -1108,6 +1108,31 @@ Beware that the SSL debug option logs a new statement every time a client connec
 To avoid that scenario, make sure this setting is only enabled for a short term duration.
 ====
 
+[[certificate-rotation]]
+== Certificate Rotation
+It is considered best practice to use certificates with reasonably short duration. This, however, requires the periodic rotation of certificates whereby old certificates are removed and the new ones installed. Previous versions of Neo4j required a the restart of a database instance for changes to be applied. New certificates can now be rotated in and SSL configuration changed without a restart being required. This reduces undesirable effects of transient loss of cluster members. 
+
+. Enable the dynamic reloading of certificates on all cluster members. It is best to do this when the cluster is deployed as changing this configuration requires a restart:
+
+[source, properties]
+----
+dbms.security.tls_reload=true (default is false)
+----
+
+. Make necessary changes to any of the SSL configuration and/or replace certificates for desired scopes. New certificates will need to be copied to all cluster members as required.
+
+. Connect to each cluster member in turn using Cypher Shell using a bolt scheme and run the reload procedure:
+
+[source]
+----
+dbms.reloadTLSCertificates()
+----
+
+. New settings will take effect immediately, however existing connections will not be pre-emptively terminated.
+
+. Verify that the intra-cluster communication is still encrypted using external tooling, such as Nmap, described above.
+ 
+
 [[ssl-terminology]]
 == Terminology